When the PKCS7 is verified later on, OpenSSL will at first look through the certificates you provided and then look in the SignedData itself if it can find the signing certificate there. It does, so it ignores your additional certificate. With the signing certificate included,

signed.verify(nil, cert_store)

will also succeed, and this is expected. If you want it to behave differently, you may either use the flags as in your second example, or you might sign the data without including the signing certificates.

Regarding the time issue, you ran into the Y2K38 problem there. This shouldn't be a problem anymore with your Ruby version, and it works on my Linux machine, could be that it is a problem specific to Windows. I'll close this issue and open a separate one for the time problem as they are not related.